pedestal

simongray 2020-11-23T14:14:33.178600Z

Maybe I am dense, but what does this mean?

::http/join?	
If false, do not block the thread that starts the web server. Passed to the container.
And why would I want the thread blocked/not blocked?

2020-11-23T14:16:57.179700Z

When running the server from a repl, you wouldn’t want to block the repl so you’d use ::http/join? false during development.

simongray 2020-11-23T14:26:34.180600Z

@ddeaguiar Thank you. Is there any reason to not just use ::http/join? false all the time?

2020-11-23T14:33:58.182600Z

Hrm, good question. I don’t recall off hand. Will look into it!

👍 1
orestis 2020-11-23T14:36:12.183800Z

your main thread will exit, right? The JVM will probably keep going (is the Jetty thread daemon?)

orestis 2020-11-23T14:39:04.184100Z

In production we actually have this:

(defn join-server-thread [system]
  (let [^org.eclipse.jetty.server.Server jetty-server (get-in system [:pedestal :service :io.pedestal.http/server])]
    (.join jetty-server)))

2020-11-23T14:42:38.186200Z

Think @orestis is right.

orestis 2020-11-23T14:44:17.187300Z

And our -main looks like this:

(defn -main [& args]
  (println "Starting...")
  (java.security.Security/setProperty "networkaddress.cache.ttl" "30")
  (nosco.util.repl/try-start-nrepl 6666)
  (let [conf (prod-config dev-config)
        system (try (start-system nosco.http.service/prod-service-map conf)
                    (catch Exception e
                      (shutdown-agents)
                      (throw e)))]
    (join-server-thread system)
    (shutdown-agents)))

orestis 2020-11-23T14:45:05.188200Z

I think the point was to be able to cleanly shutdown agents when the jetty thread terminates. If you let it go off you won’t be able to know when it shut down…

simongray 2020-11-23T14:48:38.190800Z

@orestis That makes sense, although I don’t have any shutdown-specific code in my case (yet). And then in addition to that, if I don’t join I will have to make up some other artificial way to keep the main process running?

orestis 2020-11-23T14:49:29.191300Z

I’m not quite sure if the Jetty thread is Daemon (will not prevent JVM from exiting) or not -> https://www.geeksforgeeks.org/daemon-thread-java/

orestis 2020-11-23T14:50:58.192900Z

But in general you should keep a handle on threads, so I think not auto-joining and manually joining as I pasted above is sane. Bonus, it’s the same configuration between REPL and production, with the difference that in REPL you never join 🙂

orestis 2020-11-23T14:51:23.193400Z

(Sorry if you already knew about daemon threads 🙂 )

simongray 2020-11-23T14:51:57.194100Z

No I don’t, so thank you for that. 🙂 I guess I will simply cargo-cult whatever everyone else is doing for now :)

orestis 2020-11-23T14:53:20.196Z

I think that for REPL you never want to join as then you wan’t be able to keep the REPL going. You can always test what happens in production if you don’t join, it’s just annoying because you have to keep re-starting the JVM…

simongray 2020-11-23T14:54:04.196900Z

yeah, I just tried it out in the REPL, but that’s why I was curious when it made sense to join.

simongray 2020-11-23T15:00:18.202200Z

BTW @ddeaguiar I actually got a working SAML 2.0 auth solution up and running pretty quickly. I’ve deliberately architected it in such a way that the relevant namespaces can eventually be put inside their own a library. The basic idea is that the library consumer (just myself for now) supplies a small configuration map, joins their routes with a set of ready-made SAML routes, and then prepends a SAML-session auth interceptor chain to any route endpoints that require controlled access. That seemed the most logical way to do it to me. Would you say this is the idiomatic way to do things in Pedestal?

2020-11-23T15:29:46.209800Z

@simongray It’s worth reviewing the benefit the library consumer gets by having the library manage routes as well. Routing and auth are different responsibilities. Sure, with SAML a service will have to participate in some sort of back-and-forth but the routes are just bindings to some implementation. I also suggest looking at prior art (even beyond Clojure). For example, I’ve not used https://github.com/propan/geheimtur in a long time but that lib did make the explicit choice to avoid dealing with routing.

simongray 2020-11-23T15:31:59.211Z

The exact routes required for the SAML flow are all configurable in the config, but I set some defaults when left unconfigured.

simongray 2020-11-23T15:37:24.214600Z

Unfortunately, I don’t think there is much prior art in the Clojure space. The primary reason I’m rolling my own is that the go-to solution in the Java space, Shibboleth-sp, is incredibly terse and I figured I would be better served by isolating the functionality I need in a small library and then re-using that for the various web services I need to make (they all require some form of SAML login). Thank you for the geheimtur link though. I didn’t know about that (and I don’t really how much OAuth 2.0 and SAML 2.0 resemble one another), but it’s useful to learn from anyway.

👍 1
simongray 2020-11-23T15:39:15.214700Z

And you can of course just use the various interceptors in a an isolated way too. I just thought that an assembled set of routes would be quite illustrative 🙂

orestis 2020-11-23T16:20:46.216700Z

Oh I’d love to see a new SAML implementation- it’s an area full of dangers and pitfalls. I assume @simongray you’re delegating the core logic to another library?

simongray 2020-11-23T16:21:43.217600Z

Yeah, I am using the metabase fork of the saml20-clj lib (which wraps the same core lib used by Shibboleth-sp)

simongray 2020-11-23T16:25:48.219100Z

and some kind of explanation of what I am doing which will eventually become the README of whatever repo I’m putting this in once I’m done with it: https://github.com/kuhumcst/louis-hjelmslev/blob/development/pedestal-sp.md